Architectural secure system for digital file in cyber space

ABSTRACT

The ART-CRYPTO secure architecture designed for cyber security is to keep the digital file/data encrypted at all time except at the processing period. The architecture&#39;s crypto engine is the Fast Key-Changing Apparatus (FKCA) for AES cipher, which uses a key stream to achieve the file encryption/decryption, wherein the key stream prevents side channel attack and there is no key management. The architecture&#39;s Identification and Authorization Management (IAM) distributed system prevents ID fraud, malware, ransomware, spammer, and DDoS attack. A Data Base (DB) with a Special File Structure (SFS) authorizing user accessing encrypted files prevents lowing the Cryptography level or a backdoor design, which increases the possibility of breaching. The secure architecture also solves the dilemma of privacy and security.

CROSS-REFERENCE TO RELATED PATENT APPLICATIONS

The application is a continuation of U.S. patent application Ser. No. 12/618,771 of the title “FAST KEY-CHANGING HARDWARE APPARATUS FOR AES BLOCK CIPHER” filed on Nov. 15, 2009, and is issued as U.S. Pat. No. 8,509,424 on Aug. 13, 2013, which is incorporated herein by reference in its entirety.

REFERENCES CITED [REFERENCE BY]

Related U.S. Patent Documents 8,509,424 B2 August 2013 Deng

U.S. PATENT DOCUMENTS 9,710,626 B2 July 2017 Bhushan et al. 7,769,165 B2 August 2010 Jakubowski et al. 10,033,702 July 2018 Ford, et al. 9,843,624 December 2017 Taaghol, et al. 9,455,955 September 2016 Fetik 7,630,986 December 2009 Herz, et al. 10,176,095 January 2019 Ferguson, et al. 2003/0202658 A1 October 2003 Verbauwhede 2004/0202317 A1 October 2004 Demjanenko et al. 2005/0213756 A1 September 2005 Hubert 2009/0125997 A1 May 2009 Cook

OTHER REFERENCES

-   Jong J. Buchholz, “MATLAB Implementation of the Advanced Encryption     Standard”, http://buchholz.hs-bre-men.de, Dec. 19, 2001. cited by     other. -   Behrouz A. Forouzan, “Cryptography and Network Security”, pp     207-212, 2008. cited by other. Deng ANTE, “Flenible ASIC Design     using the Block Data Flow Paradign (BDFP)”, NCSU, 2002. cited by     other.

FIELD OF THE INVENTION

The invented architectural system and methods relates to digital data file security through all the cyber space, whether it is in static or in mobile mode.

BACKGROUND

The digital information security in the Cyber space used to be supported mainly by Software-oriented tools. Yet hackers use the same method to neutralize the security and is successful most of the time. It seems that there is no good solution for cybersecurity up to this moment.

Cryptography is very effective on securing digital data files. Yet, most of the encryption/decryption systems use single key to encrypt/decrypt one data file or the whole system. It allows hackers to use methods like Differential Power Analysis (DPA), powerful brute force computing such as quantum computing, to obtain the encryption key and compromise the security of digital data files. Above all, the key management for crypto system is very complicated and costly.

Software cryptography process consumes a lot of Central Processing Unit's (CPU) computing power. Therefore, it brings down the computing performance.

We all know traditionally system administrator has the power to access all the data files in the system due to his responsibility. Just for this reason, it is rather easy for a system administrator to steal top classified information if the system administrator is not trustworthy. It is also difficult to prevent an ex-employee from stealing classified files when he/she leaves the company.

It seems that the fight between lowing the cryptography level for the Justice Department who desires to monitor criminal activities and the protecting of personal privacy has been going on forever. This issue has been brought to the Congress and discussed without a good solution.

Sometimes, it is difficult for a traditional computing system to find the initiator behind an executing program. To know the program initiator is extremely important to prevent fraud, malware, ransomware, spammer, and DDoS attack.

Now-a-day cyber security system needs to be set with the security parameters all the time to accommodate new customers. There is not a set-and-forget system on the market. Besides, it is rather easy for an IT personal to make mistakes and give hiker opportunities.

According to the digital data security issues mentioned above, the new invented security system, ART-CRYPTO secure architecture is invented.

BRIEF SUMMARY

A cyber space security system where its digital files are always encrypted except during the processing period, using the invented ART-CRYPTO secure architecture is invented. The ART-CRYPTO secure architecture comprises an User Interface (UI), an Identity and Authorization Management (IAM) module, a Data Base (DB) with a Special File Structure (SFS), a Cipher Engine (CE) module which comprises of a Pseudo-random Number Generator (PNG) module, a Clock Speed Controller module, and an Encryption/Decryption (ED) module, an Operating System with a special Scheduler (OSS), an Isolated Random Access Memory (IRAM) where its area is isolated from other user or program when a file is being processed, and an Application Programming Module (App) where its computing resource is a heterogeneous system which contains “multiple” general-purpose processors, special-purpose processors, and different kinds of accelerators. The concept of the secure architecture that keeps the digital data file encrypted all the time prevents software-oriented hacking. If a hacker steals an encrypted file, he needs the invented ART-CRYPTO secure architecture to open it. If a rival obtains a device which has the invented ART-CRYPTO secure architecture, he needs the user ID for the encrypted file to decrypted it. If a hacker uses brute force method such as quantum computing to decrypt an encrypted file, the file will be destroyed automatically.

According to the specification of the invented ART-CRYPTO secure architecture, the files are encrypted/decrypted in the CE module using the Fast Key-Changing Apparatus (FKCA) for AES cipher engine, which processes the files in blocks where a block is 128 bits, and each block of a file has its own encryption/decryption key, and the key in a different block is not repeated. The key stream of a file is generated by the PNG module and consumed/used up by the ED module immediately right after its generation within a Cipher Engine (CE) module, which the CE module is an Application Specific Integrated Circuit (ASIC).

According to the specification of the invented ART-CRYPTO secure architecture, the encrypted files in the DB have a Special File Structure (SFS) format, which comprises an Encrypted Cipher Text, a Two Codes, a Location Map (LM), and a Distribution List (DL). The first number of the Two Codes in the SFS format file is the starting key of the key stream and the second number of the Two Codes is the length of the file. The starting key (a random number) of the key stream is generated automatically by the first PNG in the PNG module when a file encryption request is raised. The key stream is generated by the second PNG in the PNG module using the starting key and the length of the file. The ED module uses the file length and the key stream to encrypt/decrypt a file. Since the encryption/decryption key is a key stream, it is changing on-the fly, it is difficult to use side channel like differential power analysis to steal the encryption/decryption keys. The key stream makes the post quantum key deciphering difficult. Besides, the key stream is generated and consumed within an ASIC, there is no key management or a storage that secures the key.

According to the specification of the invented ART-CRYPTO secure architecture, the encrypted file accessing authorization is determined by whether the user's attributes of the file exists in the DL, and whether the user passes the user Identification (ID) verification process, which happen in the SFS and the Identity and Authorization Management (IAM) module. The user does not need a password to access a digital data file. The file accessing authorization is managed by the file owner, his superior, or a super user through the editing of the DL. The invented ART-CRYPTO secure architecture is a set-and-forget system. The file authorization scheme limits the file accessing to base-on-need-to-know scope. The Department of Justice can use a court order to expose criminal activity, and there is no need to reduce the cryptography level or design a backdoor in the system.

According to the specification of the invented ART-CRYPTO secure architecture, the secure architecture itself is embedded in all computing devices, systems, sensors, and network environments throughout the Internet. The IAM modules in every device form into a subsystem, where it verifies the user ID, updates the user ID, disseminates the user ID to every device wherever the user digital data file exists. According to the specification of the invented ART-CRYPTO secure architecture, the IAM module is designed to store user ID, where the user ID can be updated, erased, but not to be retrieved from the IAM module. Therefore, the IAM module in every device through the Internet is a distributed IAM system where all users in the cyber space are related through their files. In other words, the device acknowledges who is accessing the file. Thus, prevents fraud, malware, ransomware, spammer, and DDoS attack.

According to the specification of the invented ART-CRYPTO secure architecture, the user ID comprises user's biometrics, device hardware address, network domain name, routing addresses, geolocation information, and a Special Variable (SV). The SV is generated by an SV device and updates the user ID each time a user login onto a computing device.

According to the description of the specifications of the invented ART-CRYPTO secure architecture, the system architecture only allows authorized user, whose user ID is matched with what was previously stored in the IAM module and whose attributes of the file exists in the DL, to access the encrypted file. The files in this system is always encrypted either at rest or in mobile, except during its processing period.

According to the description of the specifications of the invented ART-CRYPTO secure architecture, the IAM module has an Artificial Intelligence (AI) unit, which is designed to process a user's interactive biometric ID data verification while the user ID is not fully matched with the stored original user ID, or the IAM module suspects that it is not a real user using a computing device.

According to the description of the specifications of the invented ART-CRYPTO secure architecture, the plaintext of a file is processed in an Isolated Random-Access Memory (IRAM), which is assigned by the OSS, where only the authorized user or program can access to it. The IRAM is reset back to zero right after the file is being processed.

According to the description of the specifications of the invented ART-CRYPTO secure architecture, the plaintext of a file is processed parallelly according to the data computing structure. The architecture uses a heterogeneous computing system, which is composed of multiple and different processors, to process the plaintext file. The data computing structure is analyzed by the Operating System Scheduler (OSS). The plaintext, after being processed by the App module, will be encrypted, attached with the Two Codes, the Location Map, the DL, and then sent back to the DB.

According to the description of the specifications of the invented ART-CRYPTO secure architecture, the OSS module coordinates the User Interface (UI), the IAM module, the Data Base (DB), the Cipher Engine (CE) module, the IRAM and the App module, to operate the user ID varication process, the file encryption/decryption process, the analyzing of the file data computing structure, the designating of the IRAM and the computing resource, where the computing resource is a heterogeneous processor system, and the plaintext execution.

According to the description of the specifications of the invented ART-CRYPTO secure architecture, the encrypted file will be removed, transferred, or self-destroyed from the DB of the device or the computing system if the user on the device failed to access the encrypted file for certain times. This prevents hacker who use brute force method such as quantum computer to neutralize the secure system.

According to the description of the specifications of the invented ART-CRYPTO secure architecture, the Auto Configuration unit in the ED module configures the number of processors in the ED scalable processor array according to the length of a file that accommodates the large granularity data file processing. While the Clock Speed Controller module in the CE module adjusts the clock speed between the inputting data rate of the ED module, the inputting key stream rate of the ED module, and the processing speed of the ED processor array, to fine tune the small granularity data file processing.

BRIEF DESCRIPTION OF THE DRAWINGS

The drawings illustrate the key components, file processing procedures, and file structure of the invented ART-CRYPTO secure architecture.

FIG. 1 shows all the devices, subsystems, which contain the invented ART-CRYPTO secure architecture, connect and communicate with each other through wire or wireless internet.

FIG. 2 shows the key components, data flow, and the control signals between them, of the invented ART-CRYPTO secure architecture.

FIG. 3 shows the file processing procedures of the invented ART-CRYPTO secure architecture.

FIG. 4 shows the Cipher Engine of the invented ART-CRYPTO secure architecture.

FIG. 5 shows the Pseudo-number Generator set of the invented ART-CRYPTO secure architecture.

FIG. 6 shows the Encryption/Decryption module of the invented ART-CRYPTO secure architecture.

FIG. 7 shows the Encryption/Decryption processor array of the invented ART-CRYPTO secure architecture.

FIG. 8 shows the IAM module matching mode block diagram of the invented ART-CRYPTO secure architecture.

FIG. 9 shows the IAM module updating Random Variable and inputting ID mode block diagram of the invented ART-CRYPTO secure architecture.

FIG. 10 shows the file structure of the invented ART-CRYPTO secure architecture.

DETAILED DESCRIPTION

The ART-CRYPTO secure architecture is to provide digital files (either audio, or video, or text, or sensor signals such as C4ISR signals) security (either static or mobile, either in the system or out of the system) through a Cipher Engine (CE), Identity Authorization and Management (IAM) distributed system, and its security architecture, which are embedded in computing devices, smart phones, systems, sensors, and network environments throughout the Internet.

According to the specifications of the ART-CRYPTO secure architecture, a digital file is always encrypted (either static or mobile, either in the system or out of the system), except during the processing period in a computing device. During this processing time, the file is decrypted, in plaintext, and is sent to an isolated RAM memory where no other user or program could access to it, except those who are authorized. After the file is processed, the file will be automatically encrypted and sent back to a special file system in the Data Base and the isolated RAM memory will be reset back to zero. It is rather difficult for an implant chip on the motherboard to investigate the vulnerabilities of the invented secure system.

According to the specifications of the invented ART-CRYPTO secure architecture, the special file system has a special structure, which each file contains an encrypted cipher text, the two codes, the file location map, and the file distribution list. The two codes includes the first, a Pseudo Random Number (PRN), which is the starting key of the key stream for the Encryption/Decryption process in the CE module, and the second is the key stream length; the file location map indicates all the locations where the file is located; the file distribution list contains all authorized users and their attributes. According to the specifications of the invented ART-CRYPTO secure architecture, the file distribution list can only be modified by the file owner, his superior, or the super user. The files in the invented ART-CRYPTO secure architecture are controlled by the file distribution list so that the encrypted file will only be decrypted base on need-to-know principle. There is no need to reduce the system cryptography level or set up a back door for special user, such as FBI, to access to the file. This file distribution list scheme limits the insider theft, such as Edward Snowden, that compromises a wide scope of system files.

According to the specifications of the invented ART-CRYPTO secure architecture, the owner or user who accesses the file must be identified and authorized by the Identification and Authorization Management (IAM) module. The IAM module in every device is connected to the internet and form into a distributed IAM system. The IAM module not only use the user's real-time biomatrix information to compare with the stored personal credential information but also use a special designed device, which generates a random variable, to identify the user's real identity. The user does not need to remember any pass word; the traditional pass word security mechanism does not exist in the invented ART-CRYPTO secure architecture; and it must be a real person logging on a computing device, which has an IAM module built in, to access an encrypted file, either locally or remotely.

According to the specification of the invented ART-CRYPTO secure architecture, a file is divided into blocks. The block size is 128 bits/block and each block has its own encryption/decryption key. The key stream that provides keys for the encryption/decryption module is generated by a Pseudorandom Number Generator (PNG) hardware device, and the Encryption/Decryption (ED) module and the PNG module are packaged in one Application Specific Integrated Circuit (ASIC). The key stream is consumed right after its generation within the ASIC. There is no need to store the keys or protect it in a safe area and manage it. According to these specifications of the invented secure architecture, the system is both agile enough to accommodate post quantum computing scenario, and is also side channel eavesdropping (i.e., Differential Power Analysis, DPA) proofing.

The invented ART-CRYPTO secure architecture comprises an User Interface (UI), an Identity and Authorization Management (IAM) module, a Data Base (DB) with a Special File structure, a Cipher Engine (CE) which composes of a PNG module and an Encryption/Decryption (ED) module, an Operation System with a special Scheduler (OSS), an Isolated Random Access Memory (IRAM) which its area is isolated when a file is being processed, and an Application Program Module (App) where its computing resource contains multiple general-purpose processors, special-purpose processors, and accelerators.

According to the specification of the invented ART-CRYPTO secure architecture, the UI is the first contact point where a user (either locally or remotely) raises a request to the local OSS and try to access a file in the computing system or the device. The user must provide his/her newest personal credential identification, which is provided by the IAM module (either locally or remotely), to the UI module. This newest user identification data is updated and stored in the IAM module where the user logged on and stay on that specific computer/device. This newest user ID data will be compared with the original user ID data, which is stored in the local IAM module. If the comparison is not matched or the local IAM module is not sure about the accessing file request is raised actually by a real person, the UI will be informed, and asked to do a further interactive biomatrix ID data matching. Since the UI and the IAM module help the ART-CRYPTO secure architecture to identify that it is a real person who logs on to a computing device and tries to access to a file, it prevents Distributed-Denial-of-Service (DDoS) attack.

According to the specification of the ART-CRYPTO secure architecture, the system includes the Identification Authorization and Management (IAM) module. The IAM module cooperates with the Operating System Scheduler (OSS) and the file distribution list, which is in the DB, and authorizes a user to access a file under the condition that the user ID is matched with the original user ID that is stored in the IAM module.

The IAM module is embedded in every device (PC, workstation, server, IoT sensor, pad, notebook, HPC, PDA, device like Google gargle, smart phone, smart watch, etc.) and it contains user ID data. The user ID data in the IAM module includes user biometrics, device hardware address, network domain name, routing addresses, geolocation information, etc.; and above all, it contains a Special Variable (SV).

According to the specification of the ART-CRYPTO secure architecture, the SV is provided by a device, which generates a random number. And this random number is to updated into user ID data. The IAM modules in each device are connected through the internet and communicate with each other. Once the SV device is plugged into a user computing device and connected to the internet, it will update the newest SV to the user ID in the local IAM module and register the location of the user; this newest user ID, which includes the new location of the user, will be sent to all the IAM modules through the internet where the IAM module contains the user ID. The user ID, which is in the IAM modules, accompanies the user attributes of a file, which is in the DL of a file. The SV device is activated by user's biometrics. The SV that is generated by a device is, for example, an “image parameter”, where the parameter is calculated by averaging the gray level number of the pixels of a photo, stock market value, temperature, friction, pressure, humility, . . . etc. The SV is changed at user's desire, serves as another layer of security and makes it more difficult for hackers to steal user's ID.

The biometrics of a user is his fingerprints, palm prints, facial image (with different frequency images, or a facial smiling stream), iris scan, DNA, brain wave pattern, voice analysis, etc. The IAM module includes an Artificial Intelligence (AI) recognition unit, which helps the system to identify individual user's body, soul, and spiritual level of data. The AI unit in the IAM module which cooperates with the OSS module in the computing device is an interactive device, which requests the user or user's program to response to a specific demand that the AI unit raises in real time when the user ID matching process is not satisfied. The demanded algorithm is decided by the AI unit in the IAM module.

According to the specification of the ART-CRYPTO secure architecture, the IAM modules are distributed in every device and are centrally controlled. The central controller oversees the communications between IAM modules. The controller can plug into any IAM module node to operate its function.

According to the specification of the ART-CRYPTO secure architecture, the IAM modules automatically generate a Network Map (NM), which use each user device's routing address, domain name, device hardware address and the user's login identity when a user login on a computing device. The user device can move around within the internet, where its authorized files follow him in the nearest cloud, and his NM is changed accordingly. When the NM is established, the user ID would be verified, and his authorization to encrypted data files could be confirmed.

According to the specification of the ART-CRYPTO secure architecture, the IAM module is a hardware device that is packaged in an ASIC, where it provides personal ID data storage, modifying, and updating. The data in the ASIC cannot be retrieved in any way.

According to the specification of the ART-CRYPTO secure architecture, a special file structure in the file system, which is in the Data Base (DB), contains a file distribution list, which is to provide authorized user to access the file according to his attributes (read, write, edit, copy, print etc.). The distribution list can only be modified by the file owner, his superior, and the super user. The special file structure includes two code numbers, which is used by the Cipher Engine to encrypt/decrypt the file. The first code number is the starting key (seed) of the key stream, which is generated from the first pseudo number generator in the pseudo number generator module. The second number is the length of the key stream. The length of the key stream is also the number of blocks of a file, which is calculated by dividing the file length by 128. According to the specification of the ART-CRYPTO secure architecture, the special file structure includes a location map list, which describes all the locations where the file exists. The location map facilitates the management of the file.

According to the specification of the ART-CRYPTO secure architecture, the communication between the OSS and the IAM module is a point to point communication where it prevents the software-oriented manipulation. The OSS waits specifically for the verification signal from the IAM module once a user ID verification request is raised. If the verification signal from the IAM module does not come (either a yes or a no signal) for a certain time or times and the device is connected to the Internet, the system is designed to have the file to be removed from the device, or the computing system, and transferred to another secure system. If the system is not connected to the Internet, the file will be self-destroyed automatically in the existing device data base. This design is to prevent the file from falling into rival's hand and being compromised.

According to the specification of the ART-CRYPTO secure architecture, the system is designed to use the Distribution List (DL), the OSS module, and the IAM module to determine who has the authority to access to the encrypted file. Only the owner of the file or authorized personnel has the authority to modify the context of the DL, such as user's attributes of the file. It is not necessary to reduce the system cryptography level, or using a backdoor, or a master key to felicitate a special user, such as FBI, to access to the encrypted files. This secure design solves the issue that the Justice Department could not investigate criminal activities due to file encryption. The design also limits an administrator trying to access encrypted files beyond his authority. The design prevents the internal theft, or a person who leaves his job and later tries to access his/her encrypted files, or people such as Edward Snowden from compromising secret files. The design also limits hacker trying to modify the Operating System (OS) or updating different version of OS. Virus, Malware, ransomware deems to be terminated. There is no need for users to remember passwords since the distribution list and the IAM module verification process decide who can access the encrypted files.

According to the specification of the invented ART-CRYPTO secure architecture, the Cipher Engine is a hardware device, which is composed of an Encryption/Decryption (ED) module, where the processor arrays in the ED module are Fast Key-Changing Apparatus (FKCA) for AES cipher engine, and a hardware Pseudo-random Number Generator (PNG) module, which has two PNGs, and a clock speed controller. One of the PNGs in the PNG module is to generate the cipher key stream without human interference/intervene and the other one is to generate a starting key for the key stream. The starting key of the file encryption key stream is automatically given by the first PNG whenever the file is to be encrypted, and this starting key is sent into the first code of the Two Codes in the Special File Structure (SFS) as well as the second PNG. This first code of the Two Codes in this SFS is also used as the starting key of the decryption key stream in the file decryption process. These PNGs which generate the key stream for the ED module is packaged in the CE ASIC. It is rather difficult for a hacker to investigate the key stream since the key stream is generated and consumed immediately within a hardware ASIC. The owner of a file has no worry about the key management or password management since the file encryption/decryption process is automatically operated within an ASIC without any external human interference/intervene. The owner of the file has the authority to re-encrypt the file easily, either automatically or manually, with another different key stream which is generated automatically by the PNG module.

According to the specification of the invented ART-CRYPTO secure architecture, the CE module is a hardware and is separated from the central processing unit (CPU), it will not bring down the performance of the CPU. The FKCA changes its key each block on-the-fly and is packaged in an ASIC. It is rather difficult to use side channel like differential power analysis to steal the key stream. According to the specification of the invented ART-CRYPTO secure architecture, the file is designed to self-destroyed after a local user fail to access the file, for example three times, in an isolated environment (where the system is not connected to the internet). It is difficult for a quantum computer to analyze and catch up with the on-the-fly FKCA key stream.

According to the specification of the ART-CRYPTO secure architecture, the CE module has two special characteristics concerning the data file processing speed. The first characteristic is that the CE module is scalable and accommodates to large granularity data processing by using an Auto Configuration unit in the ED module. The Auto Configuration unit configures the number of FKCAs in the ED processor array according to the length of the file. The ED processor array is built in Block Data Flow Architecture, which is a parallel pipeline hardware architecture. The other characteristic of the CE module is to make a fine adjustment for data processing speed by using a Clock Speed Controller in the CE module and to adjust the speed ratio between two clocks. The clock speed controller has a feedback signal input, which is generated from the ED module, and is used to optimize the speed ratio between the two clocks. These two clocks are input into the PNG module and the ED module. The PNG module is a hardware and is designed to have five inputs, one key stream and one key stream seed outputs.

The design of pairing the PNG and the ED module creates a hardware device that does not use outside memory to store the key stream nor use an extra outside key management. The key stream that generates from the PNG module is consumed in the ASIC on-the-fly by the ED module immediately. The key stream is never exposed outside of the ASIC. There is no need to manage the key stream. There is no way for hackers to use side channel or other method to steal the key stream. According to the specification of the invented ART-CRYPTO secure architecture, the design of the PNG module, the key stream, and the ED module architecture is different from those traditional secure systems, which must use many ways to secure key and password.

According to the specification of the invented ART-CRYPTO secure architecture, the system has an Isolated Random-Access Memory (IRAM) architecture, which is designated by the OSS as an isolated memory area for plaintext file processing. This area restricts all other users to access to it, except those authorized users, while a plaintext file is being processed. This restriction will be expired when the data is processed, sent back to DB, and the area is reset back to zero. The App module processed file will be encrypted, attached with a Distribution List, a Location Map, and a Two Codes.

The OS Scheduler (OSS) module in the ART-CRYPTO secure architecture coordinates between the User Interface (UI), IAM module, Data Base (DB), Cipher Engine (CE), isolated RAM area and Application program (App) module. The OSS module receives a request from a user through the UI trying to access an encrypted file, the OSS module then sends a signal to the DB to search for the user's file attribute in the Distribution List (DL). If the user's file attribute is verified, the OSS module will send another signal to the IAM module asking for user ID verification. If the verification process fails, the OSS module will inform the user through the UI and reject the request. If the user ID matches the original stored user ID which is in the IAM module, the OSS module will schedule the user's request and execute its command.

According to the specification of the invented ART-CRYPTO secure architecture, the OSS module designates an area of the IRAM for processing the plaintext after the user ID is verified. An application program is selected by the OSS module according to the data file computing structure. The data computing structure, for example, is like an image processing, a video processing, a voice processing, a text processing, or a Machine Learning, etc. The OSS module analyzes the data computing structure and assigns the system resource (such as how many processor units and what kind of processor, CPU, GPU, FPGA, or ASIC, to be used) to the application program module to do data parallel processing. After the Plaintext data is processed, the result data will be sent back to the CE module to be encrypted, the IRAM area will be reset back to zeros, and the encrypted file will be stored back to the DB module.

The detailed description of the figures is followed:

FIG. 1 800 is the internet system 808, either through wire 811 or wireless 810, where the invented ART-CRYPTO secure architecture 100 is embedded in every device and the IAM module 102 in the ART-CRYPTO secure architecture 100 communicates with each other through the internet 808. The devices, which are not limited to as illustrated, which are connected to the internet system 808, are mobile phones 801, security systems 802, personal computers 803, data center severs 804, mission critical systems 805, sensors 806, and IoT devices 807.

FIG. 2 is a block diagram 200 that describes how a request (accessing an encrypted file) from the user is processed. According to the specification of the invented ART-CRYPTO secure architecture 100, the system will search in the file DL 904 for the attributes of the user, according to the user ID, when a user raises a request accessing the file 201. If the user file attribute is not included in the file DL 904, the request will be rejected, and the process will be ended 209. If the user file attribute is included in the file DL 904, the system will ask the user for further user ID verification 202. If the user ID verification fail, the user request will be ended 209. If the user ID is matched with the stored user ID in the IAM module 102, the system will enable the user's request and execute 203 the encrypted file. The encrypted file will be decrypted 204 first, then the plaintext will be sent 205 to an isolated area in the RAM module 106. After the RAM module 106 receives the plaintext file, the RAM module 106 will have the OSS module 103 to assign a processing resources and execute the application program 206. After the application program finishes its execution, the result data will be encrypted 207 and the isolated RAM area 106 will be reset to zero. The result encrypted file will then be sent 208 back to the DB module 104 and updating the stored data. The user's request task will be ended 209 after the data is being updated.

FIG. 3 is the system block diagram 100 of the invented ART-CRYPTO secure architecture. The key components of the system are User Interface (UI) module 101, Identification Authorization and Management (IAM) module 102, Operating System Scheduler (OSS) module 103, Data Base (DB) module 104, Cipher Engine (CE) module 105, Random Access Memory (RAM) module 106, and Application program (App) module 107.

UI module 101 is designed to receive task request from either local or remote user, temperately store user's Identification Data (ID), send the request signal of the user through 110 to the OSS module 103, send the user ID to the IAM module 102 through 113, wait for the verification result from the IAM module 102 where the original user ID was stored, and request the user IAM module where the user logged on for further ID varication in real time if the Artificial Intelligent (AI) unit in the Decision Making Logic 602 is not satisfy with the task requesting user's ID.

IAM module 102 is designed to do user identification, authorization, and management. During the ID verification process, the IAM module 102 receives the matching request signal from the OSS module through 112. The user who request to access the encrypted file will provide his ID in the UI module 101 and send it to IAM module 102 through 113. If the user ID is matched with the original user ID stored in the IAM module 102, then a match signal will be sent through 114 to the OSS module 103. If the AI unit in the IAM module 102 is not satisfied with the user ID during the matching process, a real-time interactive signal, which asking the user to send more biometric data for further verification process, will be sent through 113 to the UI module 101.

During updating the user ID Special Variable (SV) or updating/inputting new user ID process, the IAM module 102 uses a composite line 113 as an interface to communicate with the remote IAM module, local SV device, local new user, and remote Top IAM control module.

DB module 104 is designed to store encrypted files. According to the specification of the invented ART-CRYPTO secure architecture, it has a special file structure 900, which includes a distribution list 904 for the encrypted file 901. The OSS module 103 will send a user ID through 111 to the DB module 104 when a user in the UI module 101 raises a request to access the encrypted file 901. After verifying the attributes of the user in the distribution list 904, the DB module 104 will send a signal to OSS module 103 through 111 requesting further user ID matching process. If the user ID matching process is successful, the OSS module 103 will execute the encrypted file 901 by sending a signal through 115 to the DB module 104. After receiving an enable file execution signal from the OSS module 103 through 115, the DB module 104 will send the encrypted file 901 to the CE module 105 through 116. When the plaintext of a file is being executed and re-encrypted, the CE module 105 will send it back to the DB module 104 through 123 for updating the encrypted file 901.

CE module 105 is designed to encrypt/decrypt files. According to the specification of the invented ART-CRYPTO secure architecture, the CE module 105 will process the encrypted file 901 according to the two codes 902 in the special file structure 900 when it receives the encrypted file 901 from the DB module 104 through 116. The decrypted plaintext file will be sent through 117 to the IRAM module 106, where the area of the IRAM module 106 is designated by the OSS module 103. When the application program module 107 finishes its execution with the plaintext, the OSS module 103 will send the result data from the IRAM module 106 back to the CE module 105 through 122. The CE module 105 will then encrypt the result plaintext file, attach the two codes 902, the location map 903, the distribution list 904, and send it back to the DB module 104 through 123.

The IRAM module 106 is designed to temperately store the plaintext file that sent from the CE module 105 through 117 and is isolated from unauthorized user. After the IRAM module 106 finishes receiving the plaintext file from 117, it sends a request signal to the OSS module 103 through 118, asking the OSS module 103 to allocate and configure the processing resources (such as multiple CPUs, multiple accelerating processors, FPGAs, ASICs, and special memory architectures) according to the data computing structure of the plaintext file through 119. The Application module 107, which contains the allocated and configured processing resources, will execute the plaintext file in the IRAM module 106 through 120. After the plaintext file is processed, the IRAM module 106 will receive a store back signal from the OSS module 103 through 121 and send the result file back to the CE module 105 through 122.

According to the invented ART-CRYPTO secure architecture, the Application programming module 107 is designed to contain different processing resources, which has different multiple CPUs, accelerating processors, FPGAs, ASICs, and special memory architectures. The configuration of the processing architecture is a proprietary data which is in a lookup table and is formed according to the data file computing structure. The Application module 107 receives designating and configuring signal from the OSS module 103 through 119 and executes the file in the IRAM module 106 through 120.

The OSS module 103 is designed as the central controller of the invented ART-CRYPTO secure architecture on a device. It controls the user identification and authorization process, the file encryption and decryption process, and the file execution process. The OSS module 103 receives a request for accessing an encrypted file 901 signal from the UI module 101 through 110 and then sends a user ID through 111 to the DB module 104 to search for the file attributes of the user in the file DL 904. If the user file attribute is not in the file DL 904, then the OSS module 103 will send a reject signal to the UI module 101 through 110. If the user file attribute is in the file DL 904, the OSS module 103 will send a signal to the IAM module through 112 requesting for the user ID verification process. If the user ID is matched with the original user ID stored in the IAM module 102, a matched signal will be sent from the IAM module 102 through 114 back to the OSS module 103. The OSS module 103 will then issue an enable signal through 115 to the DB module 104 and start the file decryption process.

According to the specification of the invented ART-CRYPTO secure architecture, the OSS module 103 receives a starting file execution signal sent from IRAM module 106 through 118 when the IRAM module 106 receives the plaintext file. The OSS module 103 then configures a special memory architecture through 118 in the IRAM module 106 according to the proprietary lookup table, and designates different multiple CPU, GPU, FPGA, and ASIC in the heterogeneous APP module 107 through 119 for data parallel processing. The OSS module 103 sends a file storing back signal through 121 to the IRAM module 106 when it receives the execution file finished signal from the APP module 107 through 119.

FIG. 4 illustrates the Cipher Engine module 300 (in FIG. 3 was labeled as 105). It has three main components, the Pseudo Number Generator module 301, the Clock Speed Controller 302, and the Encryption/Decryption module 400. The Pseudo Number Generator module 301 has five inputs and two output ports. 310 is the seed signal and is a bidirectional input/output port. The seed 310 is the first key of the encryption/decryption key stream. It is an input port when the CE module 300 is used in a decryption process and is an output port when the CE module 300 is used in an encryption process. 320 is an enable input signal. It 320 triggers the first pseudo number generator 701 in the Pseudo Number Generator module 301/700 to generate a random number. This random number provides the seed input 710 for the second pseudo number generator 702, and the first code of the Two Codes 902 in the special File Structure 900.

According to the specification of the invented ART-CRYPTO secure architecture, the Length signal 311 is a signal that related to the length of the file. It 311 is input into both the Pseudo Number Generator (PND) module 301 and the Encryption/Decryption (ED) module 400. The PND module 301 uses it 311 to generate a pseudo key stream 312 for the ED module 400. The ED module 400 uses it 311 to configure the encryption/decryption array 500 so that the array is scalable to accommodate to the data processing throughput for the ED module 400. A Reset signal 317 is input to both the PND module 301 as well as the ED module 400. Every time the CE module 300 finishes a file encryption or decryption, the memory or FIFO in both the PND module 301 and the ED module 400 need to be cleared. The Pseudo key stream 312 is generated from the PND module 301 and input into the ED module 400. Every key in the Pseudo key stream 312 is used in the ED module 400 to encrypt/decrypt one block of data file.

According to the specification of the invented ART-CRYPTO secure architecture, there are two different speed of clocks in the CE module 300. The Clock 1 315 is distributed into the PNG module 301 and the ED module 400. The Clock 2 316 is input only into the ED module 400. A feedback signal 318 is coming out from the ED module 400 and input into the Clock Speed Controller 302. This feedback signal 318 is used in the Clock Speed Controller 302 to adjust the speed ratio between the Clock 1 315 and the Clock 2 316. The system clock is 319 and is input into the Clock Speed Controller 302. The CE module 300 data input is 314 and is input into the ED module 400. The CE module 300 data output 313 is the output of the ED module 400. This data output 313/117 is sent to the IRAM module 106 when the CE module 300 is in decryption process and is sent 313/123 to the DB module 104 when the CE module 300 is in encryption process. The CE module 300 can process encryption as well as decryption simultaneously.

FIG. 5 illustrates the PNG module 700 (labeled in FIG. 4 as 301). There are two Pseudo Random Generators 701, and 702. The Reset signal 317 and the Clock signal 315 distribute their signals into both Pseudo Number Generators. According to the specification of the invented ART-CRYPTO secure architecture, an Enable signal 320 is input into the Pseudo Number Generator 1 module 701 and is enabled for one clock cycle whenever the CE module 105 is in encryption process. The Pseudo Number Generator 1 module 701 generates a seed 710/310. The seed signal 710 is input into the Pseudo Number Generator 2 module 702 and is used as the first key of the key stream. The seed signal 310 is send out to the Two Codes 902 as the first code in the Special File Structure 900. According to the specification of the invented ART-CRYPTO secure architecture, the Length signal 311 which is the length of the file, is sent into the Pseudo Number Generator 2 702. The Pseudo Number Generator 2 702 uses it 311 to generate a same length key stream. The output of the Pseudo Number Generator 2 702 is 312, which is sent directly into the ED module 400 and consumed immediately.

FIG. 6 illustrates the ED module 400. According to the specification of the invented ART-CRYPTO secure architecture, the ED module 400 contains a Random Number Buffer 401, a Data input Buffer 402, an Auto Configuration circuit 403, an ED Processor Array 500, and a Data output Buffer 404. The key stream is input into the Random Number Buffer 401 through 312 and the Random Number Buffer 401 is output into the Auto Configuration circuit 403 through 410. The Clock 1 signal is fed into the Random Number Buffer 401 and the Data input Buffer 402 through 315, and its speed is faster than the Clock 2 316 signal. The Reset signal 317 is distributed into the Random Number Buffer 401, the Data input Buffer 402, the Auto Configuration circuit 403, and the ED Processor Array 500. The data file is input into the Data input Buffer 402 through 314 and the Data input Buffer 402 is output to the Auto Configuration circuit 403 through 411.

According to the specification of the invented ART-CRYPTO secure architecture, the configuration of the Auto Configuration circuit 403 is controlled by the Length signal 311, which is related to the length of the file. The longer the file length is the more processors in the ED processor Array 500 will be. The Auto Configuration circuit 403 is like a demultiplexer that distributes the key stream as well as the data file into different processor in the ED Processor Array 500. The output of the Auto Configuration circuit 403 is 412, which is the encryption/decryption keys, and 413, which is the blocks of the data file.

According to the specification of the invented ART-CRYPTO secure architecture, as soon as the ED processors 501 to 50 n in the ED processor Array 500 receives its individual encryption/decryption key and the block of data, it starts its processing asynchronously. The output of the ED Processor Array 500 will be sent into the Data output Buffer 404 through 419. The Data output Buffer 404 is like a Multiplexer, which collects the processed block of data back into its original file sequence and output it through 313. According to the specification of the invented ART-CRYPTO secure architecture, the other output 318 from the Data output Buffer 404 is a feedback signal, which is sent to the input of the Clock Speed Controller 302 to adjust the speed ratio between Clock 1 315 signal and Clock 2 316 signal.

FIG. 7 illustrates the ED Processor Array 500. According to the specification of the invented ART-CRYPTO secure architecture, there are “n” Fast Key Changing Apparatuses (FKCA) in this array. The number of “n” depends on the length of the file. The key stream input of the FKCA 501-50 n is 412, the data block input is 413, and their output is 419. The Reset signal 317 and the Clock 2 signal 316 are distributed into every FKCA 501-50 n. The Reset signal 317 is to clear the memory in the FKCA 501-50 n every time the ED module 400 finishes a file task. The detail characteristics and specifications of the ED Processor Array 500 were described in U.S. Pat. No. 8,509,424 B2 and the “FLEXIBLE ASIC DESIGN USING THE BLOCK DATA FLOW PARADIGN (BDFP)” thesis, NCSU, 2002.

FIG. 8 illustrates the IAM module 600 when it is in the user ID matching mode. There are three main components involve in this mode, the Comparator 601, the Decision-Making Logic 602, and the Memory 603. When a user raises a request 110 to access an encrypted file and his user ID is found in the distribution list 904, the OSS module 103 will send a request signal 112/630 to the Decision-Making Logic 602, asking for user ID matching process. The Decision-Making Logic 602 will send a signal 632 to the Memory 603 to locate the user ID. When the Memory 603 finds the user ID, it will retrieve the user ID and send it through 633 to the Comparator 601 to verify the user identity.

The Comparator 601 compares the user ID input 113/631, which is sent from the User Interface 101, with the retrieved user ID 633. The result of the Comparator 601 will be sent to the Decision-Making Logic 602 through 634. If there is a match/not-match during the user ID matching process, the Decision-Making Logic 602 will send a yes/no signal to the OSS module 103 through 635/114. If the input signal 634 of the Decision-Making Logic 602 is not fully matched, or there is a need to have more user ID verification, the AI unit in the Decision-Making Logic 602 will send a signal to the user logged-in IAM module 102 through 636/113 requesting the user to send an interactive biometric data, for example, a video clip of the user's smiling face, for further verification.

FIG. 9 illustrates the IAM module 600 in the updating Special Variable (SV) or inputting new user ID mode. According to the specification of the invented ART-CRYPTO secure architecture, there is an SV that updating the user ID from time to time as the user desires. This SV is generated from an SV device and inputted into the local IAM module 102 when the user logs on to the user's computing device (such as mobile phone, PC, laptop, workstation, IoT controller, etc.). The SV will appear at the input of the Decision-Making Logic 602 through 611.

At the same time, the user's old ID and old SV will also be input from the SV device into the Comparator 601 through 612. When the Comparator 601 receives the 612 input, it will send a signal into the Decision-Making Logic 602 through 613 requesting to replace the old SV in the user ID. The Decision-Making Logic 602 will search the old user ID in the Memory 603 through 614. When the Memory 603 locates the old user ID, it will output them through 615 into the Comparator 601. The Comparator 601 uses the signal coming from 615 compares with the signal coming from 612. If both signals are matched, the Comparator 601 sends a signal through 616 to inform the Decision-Making Logic 602 to allow the replacement of the old SV with the new SV.

After the new SV is updated, the Decision-Making Logic 602 sends the updated user ID to store in the IAM Memory 603 through 617. The Decision-Making Logic 602 also sends a copy of the updated user ID to the Hand Shaking with other IAM (Encryption) module 605 through 618. The output of the Hand Shaking with other IAM (Encryption) module 605, which is the newest user ID 619, will be propagated and updated to the remote IAM modules 600 according to the NM.

The input 622 of the Hand Shaking with other IAM (Decryption) module 604 receives the updated user ID from the remote IAM module 600, or a new user ID from the local device, outputs it into the Memory 603 through 621. Both the Decryption as well as the Encryption Hand Shaking with other IAM modules 604 605 need a key to Decrypt or Encrypt the updated user ID that is transferred between the IAM modules 600. This key is sent from the Top IAM Control module through 620.

FIG. 10 illustrates the Special File Structure 900. It has the Encrypted Cipher Text section 901, the Two Codes section 902, the Location Map section 903, and the Distribution List section 904. 

What is claimed is:
 1. A cyber space security system where its digital files are always encrypted, both in static and in mobile state, except during the processing period, using the invented ART-CRYPTO secure architecture; the ART-CRYPTO secure architecture comprises an User Interface (UI), an Identity and Authorization Management (IAM) module, a Data Base (DB) with a Special File Structure (SFS), a Cipher Engine (CE) module which comprises of a Pseudo-random Number Generator (PNG) module, a Clock Speed Controller module, and an Encryption/Decryption (ED) module, an Operating System with a special Scheduler (OSS), an Isolated Random-Access Memory (IRAM) where its area is isolated from other user or program when a file is being processed, and an Application Programming Module (App) which its computing resource contains “multiple” general-purpose processors, special-purpose processors, and different kinds of accelerators; the files in the invented ART-CRYPTO secure architecture are divided into blocks, the number of blocks is the file length and a block is 128 bits; each block of a file has its own encryption/decryption key and the key in different block is not repeated; the key stream of a file is generated and processed/consumed within the Cipher Engine (CE) module, which the CE module is an Application Specific Integrated Circuit (ASIC); the key stream is consumed/used up immediately right after its generation within the CE module where there is no extra key stream storage or management; the encrypted files in the DB are in a Special File Structure (SFS) format, which comprises an Encrypted Cipher Text, a Two Codes, a Location Map (LM), and a Distribution List (DL); the encrypted file accessing authorization is determined by whether the user's attribute of the file exists in the DL and whether the user passes the user Identification (ID) verification process, which happens in the DB and the Identity and Authorization Management (IAM) module; all files are encrypted/decrypted in the CE module; the CE module uses the Two Codes in the SFS to encrypt/decrypt files; the plaintext of a file is processed parallelly using multiple and different types of processors with partitioned IRAM surround them according to the data computing structure, which the data computing structure is analyzed by the Operating System Scheduler (OSS); the plaintext of a file is processed in an Isolated Random-Access Memory (IRAM), which is assigned by the OSS.
 2. The ART-CRYPTO secure architecture of claim 1, wherein the ART-CRYPTO secure architecture is embedded in all devices such as computing devices, smart phones, systems, sensors, Internet of Things (IoT) and network environments throughout the Internet.
 3. The ART-CRYPTO secure architecture of claim 1, wherein the plaintext, after being processed by the App module, will be encrypted together with the Two Codes, the Location Map, the DL, and sent back to DB.
 4. The ART-CRYPTO secure architecture of claim 1, wherein the IRAM will be reset back to zero after the plaintext file is being processed by the App module.
 5. The ART-CRYPTO secure architecture of claim 1, wherein said the IAM modules in every device form into a distributed IAM system through the internet; the IAM module updates the user ID using a Special Variable (SV) device each time a user login onto a computing device, wherein the SV device is a sensor which generates a random number through its calculation and provides it to the user ID; the IAM module disseminates the updated user ID throughout the internet to every device wherever the IAM module contains the user ID, and updates the newest user ID; the user ID, which is in the IAM module, synchronizes with the user's attribute of a file, which is in the DL, in real time; the user ID in the IAM module comprises user's biometrics, device hardware address, network domain name, routing addresses, geolocation information, and a Special Variable (SV); the IAM module distributed system has a central control unit, which is able to plug into any IAM module node and controls all the encrypted communication between IAM modules; the IAM module automatically generates a Network Map (NM), which uses each user device's routing address, domain name, device hardware address and the user's login identity when a user login onto a computing device.
 6. The ART-CRYPTO secure architecture of claim 1, wherein said the UI, said the IAM module, said the OSS, and said the DB with the SFS where a DL is, constructs an encrypted file accessing authorization architecture, and facilitates the user ID matching, verifying process.
 7. The ART-CRYPTO secure architecture of claim 1, wherein said the OSS module coordinates said the User Interface (UI), said the IAM module, said the Data Base (DB) with the SFS, said the Cipher Engine (CE) module, said the IRAM and said the App module, to execute the user ID varication process, the file encryption/decryption process, the analyzing of the file data computing structure, the designation of the IRAM, the designation of the computing resource which the computing resource is a heterogeneous multiprocessor system and is used for parallel processing, the plaintext processing, and the storing of the encrypted file back to the DB.
 8. The ART-CRYPTO secure architecture of claim 1, wherein said the IAM module is designed to store user ID, where the user ID can be updated, erased, but not to be retrieved from the IAM module.
 9. The ART-CRYPTO secure architecture of claim 1, wherein said the IAM module has an Artificial Intelligence (AI) unit, which is designed to do user's interactive biometric ID data verification while the user ID is not fully matched with the stored original user ID.
 10. The ART-CRYPTO secure architecture of claim 1, wherein said the IAM module and said the OSS module has a simple handshaking communication, which is a point to point communication.
 11. The ART-CRYPTO secure architecture of claim 1, wherein the said encrypted file will be removed, transferred, or self-destroyed from the DB of that device/computing system if the device's OSS module fails to receive a point to point responding signal from the IAM module after the OSS module requesting the IAM module to do a user ID verification process for certain times.
 12. The ART-CRYPTO secure architecture of claim 1, wherein said the user's attribute in the said DL can only be modified by the owner of the encrypted file, his superior, or the super user; the user's attribute is updated and distributed to the DL where the file is located according to the LM once it is being modified.
 13. The ART-CRYPTO secure architecture of claim 1, wherein said the Location Map contains all the file location information and is updated according to the file transfer, termination, and creation.
 14. The ART-CRYPTO secure architecture of claim 1, wherein said the ED module comprises an Encryption/Decryption scalable processor array, a Random Number Buffer, a Data Input Buffer, an Auto Configuration unit, and a Data output Buffer; the processors in the ED scalable processor array are the Fast Key-Changing Apparatus (FKCA) for Advanced Encryption System (AES) cipher engine; the Auto Configuration unit configures the number of processors that are to be used in the ED processor array according to the length of the file and makes the processor array scalable.
 15. The ART-CRYPTO secure architecture of claim 1, wherein said the ED module uses the file length and the key stream to encrypt/decrypt a file.
 16. The ART-CRYPTO secure architecture of claim 1, wherein said the PNG module comprises two PNGs, which are hardware devices; the first PNG generates a starting key automatically for the key stream without human interference/intervene; the second PNG generates the key stream using two numbers; the first number which the second PNG uses is the random number that is generated by the first PNG, which is also the first number of the Two Codes in the SFS; the second number which the second PNG uses is the length of the file, which is the second number of the Two Codes in the SFS; the PNG module generates the key stream and is used immediately by the ED module, where the PNG module and the ED module are in the CE module, which is an ASIC.
 17. The ART-CRYPTO secure architecture of claim 1, wherein said the PNG module has an enable input, which can be triggered at any time by the owner of a file when the owner of the file feels the need to re-encrypt the file.
 18. The ART-CRYPTO secure architecture of claim 1, wherein said the Clock Speed Controller module in the CE module adjusts the clock speed between the inputting data rate of the ED module, the inputting key stream rate of the ED module, and the processing speed of the ED processor array.
 19. The ART-CRYPTO secure architecture of claim 1, wherein said the OSS module, after the plaintext is moved to the IRAM, analyzes the data computing structure, designates the heterogeneous computing resource, configures an IRAM area to surround the computing resource and facilitates the parallel processing of the plaintext file. 